Frequently asked questions about Corporate Account Takeovers

What is CATO?

CATOs occur when cyber thieves gain control of systems by stealing sensitive employee credentials and information. Criminals can then initiate fraudulent wire transfers and transactions through the ACH to any account. Thieves typically access a computer via malicious software (malware) that can infect a computer through e-mail, websites, or as malware disguised as software. It is necessary to fully understand the severity of these attacks and its effects on client confidence, as well as its potential implications on your institution’s reputation. The DOB recognizes the growing risks in cyber crimes and the need for financial institutions to identify, develop, and implement appropriate risk management systems.

Examples of CATO

In May 2010, Golden State Bridge, an engineering and construction company based in Martinez, Calif., was robbed of more than $125,000 when cybercriminals hacked into its bank account. The hackers made two automated clearinghouse batch transactions with the office manager’s user name and password, routing stolen money to eight other banks across the country. Ann Talbot, Golden State’s chief financial officer, learned later that the office manager had violated policy by visiting a social networking site, which the company said it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect.

A California escrow firm has been forced to take out a high-cost loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year. In March, computer criminals broke into the network of Redondo Beach based Villiage View Escrow, Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm. Owner Michelle Marisco said her financial institution at the time - Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. However, the attackers apparently disabled that feature before initiating the fraudulent wires.

Collaboration between the banks and the Federal Bureau of Investigation helped build a case against Waya Nwaki, a.k.a. Shawn Conley, who was arrested in December on charges of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers. According to the indictment filed with the U.S. District Court in New Jersey, Nwaki and six co-conspirators between August 2000 and June 2010 worked across three continents to launch phishing attacks through spoofed websites designed to mimic banks and payroll processors such as ADP. When online users visited the spoofed pages, they were asked to provide confidential personal and financial information, such as dates of birth, Social Security numbers, mothers' maiden names, and online account user names and passwords. Once the hackers obtained log-in credentials and answers to commonly-asked security questions, they accessed online accounts to make unauthorized transfers to accounts they controlled and/or wired money overseas through money remittance providers such as Western Union and MoneyGram.